cap_prctl - Linux
Overview
cap_prctl is a command-line utility in Linux that allows users with CAP_SETPCAP privilege to manipulate the capabilities of the current process or threads. It is used to change the effective and inherited capabilities of the process, enabling fine-grained control over the permissions granted to specific programs.
Syntax
cap_prctl [ACTION] [CAPABILITY] [THREAD_FLAG] [PID]
where:
- ACTION specifies the operation to perform.
- CAPABILITY is the capability to be modified.
- THREAD_FLAG applies the changes only to specific threads.
- PID is the process ID (optional).
Options/Flags
- -a (ACTION): Add the capability to the set.
- -d (ACTION): Drop the capability from the set.
- -l (ACTION): List the effective and inheritable capabilities of the process.
- -r (THREAD_FLAG): Apply to all threads of the process.
- -e (THREAD_FLAG): Apply only to the calling thread.
- -p (THREAD_FLAG): Specify the PID of the thread to affect.
Examples
- Add CAP_SYS_ADMIN to the process:
cap_prctl -a CAP_SYS_ADMIN
- List the effective capabilities of the process:
cap_prctl -l
- Drop CAP_DAC_READ_SEARCH from all threads:
cap_prctl -dr CAP_DAC_READ_SEARCH -r
- Apply capabilities to a specific thread of another process:
cap_prctl -a CAP_NET_ADMIN -p 1234
Common Issues
- Permission Denied: The user must have CAP_SETPCAP privilege to use cap_prctl.
- Invalid Capability: The specified capability is not a valid capability.
- Invalid Thread: The specified thread does not exist.
Integration
cap_prctl can be integrated with other commands to perform advanced tasks:
- setuid with capabilities: Create a program with reduced privileges that elevates to a specific set of capabilities when needed.
- Container Security: Set specific capabilities for containers to restrict their actions and enhance security.
- SELinux: Modify capabilities in SELinux environments to define fine-grained access controls.
Related Commands
- capabilities
- lscap
- setcap